Can I remotely connect to my NAS behind CGNAT from the internet

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Can I remotely connect to my NAS behind CGNAT from the internet

Murf5252

1 post

Wannabe Geek

#299464 10-Sep-2022 09:11

Hi,

I am on starlink which is CGNAT. I want to connect to my QNAP NAS to check security camera software QVRPro. Is there a way I can achieve this. I have an active subscription to Nordvpn but not sure if Nord has a solution. Ipv6 does not work currently with starlink. I have read that a VPN service can make this work but have no idea how. Any help or ideas appreciated.

Thanks

Jiriteach

1119 posts

Uber Geek

ID Verified

Lifetime subscriber

#2965274 10-Sep-2022 09:13

Use something like - https://ngrok.com/pricing or Cloudflare ZeroTrust tunnels.

-- opinions expressed by me are solely my own. ie - personal

davidcole

6041 posts

Uber Geek

Trusted

#2965322 10-Sep-2022 09:37

Or taillscale or zerotier

Previously known as psycik

Home Assistant: Gigabyte AMD A8 Brix, Home Assistant with Aeotech ZWave Controller, Raspberry PI, Wemos D1 Mini, Zwave, Shelly Humidity and Temperature sensors
Media:Chromecast v2, ATV4 4k, ATV4, HDHomeRun Dual
Server Host Plex Server 3x3TB, 4x4TB using MergerFS, Samsung 850 evo 512 GB SSD, Proxmox Server with 1xW10, 2xUbuntu 22.04 LTS, Backblaze Backups, usenetprime.com fastmail.com Sharesies Trakt.TV Sharesight

freitasm

BDFL - Memuneh
79314 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2965380 10-Sep-2022 10:42

I have Tailscale installed on my laptop and desktop, as well as my Synology NAS. This way I can access the NAS from anywhere, without having to port forward anything. But it gives every device a new IP address.

So I use another option. If you have more time to configure have a cloudflared docker instance on your NAS, and configure a private network for that using the Cloudflare rules (see screenshots). Using the WARP client and logging into your account will give you access to the private network.

The difference here is that Tailscale will create a network with its own IP addresses while on cloudlfared you create a split tunnel that let you access your network using existing IP addresses.

If you have your own domain you can extend this to create a tunnel that points to your NAS so you can access it via a URL and a sub-domain on your browser so you don't even need the WARP client if you just need browser access. In addition you then can configure an Cloudflare Access Application and set it so that only people with some email addresses (or logged via Office 365 or Google Workspace accounts) can access to the subdomain. This way you can access your NAS via browser without having to install any client so you can do it from any machine.

davidcole

6041 posts

Uber Geek

Trusted

#2965619 10-Sep-2022 20:22

Also with cloudflared you do have to be somewhat careful. It does simplify the network side and remove the need to port forward.

But it also by default requires the destination application or device to provide all the security. Eg I do it for Nextcloud. But Nextcloud has pretty good security.

I also do it for some ssh. And while I use ssh keys I have also put it behind cloudflare access for for extra security.

BarTender

3607 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#2965623 10-Sep-2022 20:34

Run WireGuard very happily on my Synology which is the free version of tailscale.

freitasm

BDFL - Memuneh
79314 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2965624 10-Sep-2022 20:39

davidcole: Also with cloudflared you do have to be somewhat careful. It does simplify the network side and remove the need to port forward.

But it also by default requires the destination application or device to provide all the security. Eg I do it for Nextcloud. But Nextcloud has pretty good security.

I also do it for some ssh. And while I use ssh keys I have also put it behind cloudflare access for for extra security.

Not quite. If you expose as an application within a subdomain you can lockdown access with rules. And if you expose it via tunnel then it is an outbound connection so no firewall needed. If you expose an existing Web service using a port forward then you need to block any connection not coming from a Cloudflare IP address. Similarly if your application is directly connected to the Internet.

Well configured it is safer than port forward and firewalls.

boland

547 posts

Ultimate Geek

#2965898 11-Sep-2022 15:56

freitasm:

I have Tailscale installed on my laptop and desktop, as well as my Synology NAS. This way I can access the NAS from anywhere, without having to port forward anything. But it gives every device a new IP address.

So I use another option. If you have more time to configure have a cloudflared docker instance on your NAS, and configure a private network for that using the Cloudflare rules (see screenshots). Using the WARP client and logging into your account will give you access to the private network.

I'm using Tailscale as well and also ran into the problem of the new IP addresses. I've got a QNAP NAS and I want to connect to it from the Android app regardless of whether I'm connected to Tailscale or not.

I've got a Raspberry PI with Pi Hole that serves as DNS server.

What I have done, is add a manual DNS entry to my Pi Hole with the FQDN of my NAS (e.g. nas.tailscale.beta.net) with the internal (192.168.x) IP address of my NAS. In my Android app I'm using that FQDN as the URL. And then it works magically! With the DNS feature in Tailscale it automatically registers the FQDN nas.tailscale.beta.net to point to the Tailscale 100.100 address, and Pi Hole ensures it resolves to 192.168.x.x while at home.

Perhaps not the most elegant solution but it works.